Closes a bypass surfaced by the 2026-04 audit probe (axis-1 Q2): any
authenticated user could POST /api/v1/subscriptions/subscribe on a paid
plan and receive 201 active without the payment provider ever being
invoked. The resulting row satisfied `checkEligibility()` in the
distribution service via `can_sell_on_marketplace=true` on the Creator
plan — effectively free access to /api/v1/distribution/submit, which
dispatches to external partners.
Fix is centralised in `GetUserSubscription` so there is no code path
that can grant subscription-gated access without routing through the
payment check. Effective-payment = free plan OR unexpired trial OR
invoice with non-empty hyperswitch_payment_id. Migration 980 sweeps
pre-existing fantôme rows into `expired`, preserving the tuple in a
dated audit table for support outreach.
Subscribe and subscribeToFreePlan treat the new ErrSubscriptionNoPayment
as equivalent to ErrNoActiveSubscription so re-subscription works
cleanly post-cleanup. GET /me/subscription surfaces needs_payment=true
with a support-contact message rather than a misleading "you're on
free" or an opaque 500. TODO(v1.0.7-item-G) annotation marks where the
`if s.paymentProvider != nil` short-circuit needs to become a mandatory
pending_payment state.
Probe script `scripts/probes/subscription-unpaid-activation.sh` kept as
a versioned regression test — dry-run by default, --destructive logs in
and attempts the exploit against a live backend with automatic cleanup.
8-case unit test matrix covers the full hasEffectivePayment predicate.
Smoke validated end-to-end against local v1.0.6.2: POST /subscribe
returns 201 (by design — item G closes the creation path), but
GET /me/subscription returns subscription=null + needs_payment=true,
distribution eligibility returns false.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hotfix surfaced by the v1.0.6 refund smoke test. Migration 978's plain
UNIQUE constraint on hyperswitch_refund_id collided on empty strings
— two refunds in the same post-Phase-1 / pre-Phase-2 state (or a
previous Phase-2 failure leaving '') would violate the constraint at
INSERT time on the second attempt, even though the refunds were for
different orders.
* Migration 979_refunds_unique_partial.sql replaces the plain
UNIQUE with a partial index excluding empty and NULL values.
Idempotency for successful refunds is preserved — duplicate
Hyperswitch webhooks land on the same row because the PSP-
assigned refund_id is non-empty.
* No Go code change. The bug was purely in the DB constraint shape.
Smoke test that caught it — 5/5 scenarios re-verified end-to-end:
happy path, idempotent replay (succeeded_at + balance strictly
invariant), PSP error rollback, webhook refund.failed, double-submit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to the v1.0.5 hardening sprint. That release validated the
`register → verify → play` critical path end-to-end; this one addresses
the next layer — the UX friction and operational blindspots that a
first-day public user (or a first-day on-call) would hit. Six targeted
commits, each with its own tests:
* Fix 1 — Self-service creator role (9f4c2183a)
* Fix 2 — Upload size limits from a single source (7974517c0)
* Fix 3 — Unified SMTP env schema on canonical SMTP_* names (9002e91d9)
* Fix 4 — Refund reverse-charge with idempotent webhook (92cf6d6f7)
* Fix 5 — RTMP ingest health banner on Go Live (698859cc5)
* Fix 6 — RabbitMQ publish failures no longer silent (4b4770f06)
Breaking changes:
* marketplace.MarketplaceService.RefundOrder now returns
(*Refund, error) — callers must accept the pending refund row.
* Internal refundProvider interface changed from
Refund(...) error to CreateRefund(...) (refundID, status, err).
* Order status machine gains `refund_pending` as an intermediate
state. Clients reading orders.status should not treat it as
refunded yet.
Parked for v1.0.7:
* Partial refunds (UX decision + call-site wiring)
* Stripe Connect Transfers:reversal (internal accounting is
already corrected; this is the external money-movement call)
* CloudUploadModal.tsx unifying on /upload/limits
* Manual smoke test of refund flow against Hyperswitch sandbox
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
A fresh clone + `cp veza-backend-api/.env.template .env` + `make dev-full`
booted the backend with `SMTP_HOST=""` — `EmailService.sendEmail` short-
circuits to log-only when the host is empty, so `register` + `password
reset` produced users stuck with no way to verify (or recover) in dev,
and the smoke test caught MailHog empty despite the service being up.
- `.env.template` now ships MailHog-ready defaults (`localhost:1025`,
UI on `:8025`, `FROM_EMAIL=no-reply@veza.local`) so a bare clone +
copy gives a working register flow. Comment rewritten to point at
both the dev path and the prod override.
- Also exports duplicate variable names (`SMTP_USERNAME`, `SMTP_FROM`,
`SMTP_FROM_NAME`) read by `internal/email/sender.go`. The two email
services in-tree disagree on env schema (`SMTP_USER` vs
`SMTP_USERNAME`, `FROM_EMAIL` vs `SMTP_FROM`, `FROM_NAME` vs
`SMTP_FROM_NAME`); until v1.0.6 reconciles them, both sets are
populated so whichever path fires finds its names.
Pure config hotfix. No code change, no migration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Seven targeted fixes to the register → verify → play critical path before
public opening. Each landed in its own commit with dedicated tests; this
commit just rolls VERSION forward and captures the rationale in the
changelog.
Summary of what's in this release:
* Fix 1 — Player muet: /stream endpoint + HLS default alignment
* Fix 2 — Email verify bidon: real SMTP + MailHog + fail-loud in prod
* Fix 3 — Marketplace gratuit: HYPERSWITCH_ENABLED=true required in prod
* Fix 4 — Redis obligatoire: REDIS_URL required in prod + ERROR log
on in-memory PubSub fallback
* Fix 5 — Maintenance mode DB-backed via platform_settings
* Fix 6 — Hourly cleanup of orphan tracks stuck in processing
* Fix 7 — Response cache bypass for range-aware media endpoints
(surfaced by the browser smoke test; prevents Range/Accept-Ranges
strip and JSON-round-trip byte corruption on /stream, /download,
/hls/ and any request with a Range header)
Parked for v1.0.6 (🟠/🟡 audit items + smoke-test ergonomics):
Hyperswitch refund→PSP propagation, livestream UI feedback when
nginx-rtmp is down, upload size mismatch (front 500MB vs back 100MB),
RabbitMQ silent drop on enqueue failure, SMTP_HOST ergonomics for
`make dev` host mode, creator-role self-service onboarding for upload.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
7-day cleanup sprint (J1–J7) done. The codebase is unchanged
functionally but the working tree, docs, k8s runbooks, CI, and
Go dependency graph are all realigned with reality for the first
time since the v1.0.0 release.
VERSION 1.0.2 → 1.0.4 (skips v1.0.3 — that tag already
exists upstream, unused on this branch)
CHANGELOG.md full v1.0.4 entry with per-day (J1–J7) breakdown
and the govulncheck + CI fix trail
docs/PROJECT_STATE.md header month + version table refreshed,
pointer to AUDIT_REPORT.md added
docs/FEATURE_STATUS.md header updated — no feature matrix
changes (no feature work in this sprint)
Key deliverables of the sprint:
J1 0e7097ed1 purge 220 MB of debris (binaries, reports,
session docs, stale MVP scripts)
J2 2aea1af36 rewrite CLAUDE.md, fix README, purge chat-server
refs from k8s runbooks and env examples
J3 67f18892a remove 3 deprecated unused handlers
J3+ 7fa314866 2FA handler duplicate removal (bundled by parallel
ci-cache commit)
J4 9cdfc6d89 GDPR-compliant hard delete with Redis SCAN cursor
and ES DeleteByQuery — closes TODO(HIGH-007)
J5 0589ec9fc defer GeoIP, rename v2-v3-types.ts to domain.ts,
document Storybook kill
J5+ 7f89bebe1 fix lint-staged eslint rule (was linting the
whole project — root cause of earlier --no-verify)
J6 113210734 mark 3 dormant docker-compose files deprecated
fix 3d1f127ad bump x/image, quic-go, testcontainers-go — drops
containerd + docker/docker from dep graph,
resolving 5 govulncheck findings without allowlist
fix b33227a57 bump go.work to 1.25 to match veza-backend-api
fix 73fc6e128 bump x/net v0.51.0 for GO-2026-4559
fix 376d9adc4 retire legacy backend-ci.yml, centralize Docker
probe in SkipIfNoIntegration
CI status on the consolidated ci.yml workflow for 376d9adc4:
Veza CI / Backend (Go) OK 6m36s
Veza CI / Frontend (Web) OK 20m57s
Veza CI / Rust (Stream) OK 6m25s
Security Scan / gitleaks OK 4m13s
Veza CI / Notify skipped (fires only on failure)
First fully green CI run of the sprint and the first in a long
time overall. The tag v1.0.4 is cut on this state.
Refs: AUDIT_REPORT.md, all commits 0e7097ed1..376d9adc4
- ORDER BY dynamiques : whitelist explicite, fallback created_at DESC
- Login/register soumis au rate limiter global
- VERSION sync + check CI
- Nettoyage références veza-chat-server
- Go 1.24 partout (Dockerfile, workflows)
- TODO/FIXME/HACK convertis en issues ou résolus
- PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL
- CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest
- OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS
- CHAT_JWT_SECRET must differ from JWT_SECRET in production
- Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens
- Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010
